Unencrypted NHS patient data on memory sticks, warns survey

Doctors are carrying around unencrypted patient data on USB memory sticks, according to stinging research carried out in a London hospital.

Leo King
September 5, 2008

Share

Twitter

Facebook

LinkedIn

Google Plus

Doctors are carrying around unencrypted patient data on USB memory sticks, according to stinging research carried out in a London hospital.

But the NHS maintained it is taking the right steps to protect data, and that clinicians have to follow guidelines that insist on the encryption of identifiable patient data.

In a study conducted in one London hospital, clinicians Sven Putnis and Andrew Bircher found that 92 of 105 doctors surveyed carried memory sticks, Health Service Journal reported. Some 79 of these memory sticks held confidential patient information, but only five doctors had followed NHS rules and encrypted their data.

The authors said the information included patient names and birth dates, alongside x-ray results, diagnoses, and treatment details, HSJ reported.

Calling the results “worrying”, the researchers said there was “no reason why this lack of security would not be mirrored in surveys across every hospital in the UK and beyond”.

They said data collection and processing had made patient care “more efficient” but that it was important the technology was monitored “to ensure we uphold patients' rights to privacy”.

But the NHS hit back at the findings, saying it had issued clear instructions to local trusts that all identifiable patient data on portable devices has to be encrypted.

Dr Simon Eccles, Medical Director at Connecting for Health, told Computerworld UK that typically patients were assigned codes that meant such records would be unidentifiable to anyone but staff.

“[NHS chief executive] David Nicholson quite rightly said that any portable device that contains identifiable information must be encrypted,” he said, adding that the NHS is rolling out McAfee Safeboot software across all hospitals to protect the data.

But he added: “At the end of the day, the responsibility for data must rest with the individual clinician.” Ideally data should be both unidentifiable and encrypted, he said.

A spokesperson at the Department of Health added: "The NHS locally has legal responsibility to comply with data protection rules."

Reports of data losses in the NHS have raised concerns over the £12.7 billion National Programme for IT, which is building a central spine of patient data accessible by NHS staff with a smartcard and passcode. In the summer, analysts said the NHS should urgently reconsider the programme, and weigh up the benefits of patients carrying their own data instead.